Add a glob pattern as an explicit allow rule in your custom policy.
Usage
rampart allow <pattern> [flags]
Arguments
pattern (required)
Glob pattern to match against commands (exec tool) or file paths (read/write/edit).
Flags
Write to global policy (~/.rampart/policies/custom.yaml)
Write to project policy (.rampart/policy.yaml)
--tool
string
default:"auto-detect"
Tool type: exec, read, write, edit (default: auto-detect from pattern)
Optional reason displayed when the rule matches
--api
string
default:"http://127.0.0.1:9090"
Rampart serve API address for policy reload
API auth token (or set RAMPART_TOKEN)
Pattern matching
Patterns are matched against:
- Commands (exec tool):
npm install *, git push, etc.
- File paths (read/write/edit):
/tmp/**, *.env, etc.
Rampart auto-detects whether the pattern is a command or path based on whether it contains a /.
Examples
Allow npm install
rampart allow "npm install *"
Adding rule to project policy (.rampart/policy.yaml):
Action: allow
Pattern: npm install *
Tool: exec
Add this rule? [y/N] y
✓ Rule added to policy.yaml
Policy reloaded (12 rules active)
Allow Go tests
rampart allow "go test ./..."
Allow writing to /tmp
Adding rule to project policy (.rampart/policy.yaml):
Action: allow
Pattern: /tmp/**
Tool: read
Add this rule? [y/N] y
✓ Rule added to policy.yaml
read tool because the pattern starts with /.
Allow with custom message
rampart allow "curl https://api.example.com/*" \
--message "API calls to example.com are safe"
Non-interactive (CI)
rampart allow "make build" --yes
rampart allow "build.sh" --tool exec
--tool exec, this would be auto-detected as a path rule.
Target selection
By default, Rampart writes to:
- Project policy (
.rampart/policy.yaml) if in a git repo
- Global policy (
~/.rampart/policies/custom.yaml) otherwise
Override with flags:
# Force global
rampart allow "npm test" --global
# Force project
rampart allow "npm test" --project
Pattern syntax
Wildcards
* — Match any characters except /** — Match any characters including /? — Match a single character[abc] — Match any character in the set[a-z] — Match any character in the range
Examples
# Match any npm command
rampart allow "npm *"
# Match all .env files
rampart allow "**/.env"
# Match specific file
rampart allow "/etc/hosts"
# Match directories
rampart allow "~/projects/**"
Warnings
Rampart warns about overly permissive patterns:
Adding rule to project policy (.rampart/policy.yaml):
Action: allow
Pattern: **
Tool: exec
⚠️ Warning: Overly permissive pattern
• matches ALL commands/paths — effectively disables policy
Add this rule? [y/N]
*, **, **/** — Match everything/*, /** — Match all paths under /~/*, ~/** — Match all paths under home directory
Policy reload
If rampart serve is running, the policy is automatically reloaded:
✓ Rule added to custom.yaml
Policy reloaded (15 rules active)
Saved to ~/.rampart/policies/custom.yaml
(Run 'rampart serve' to activate changes immediately)
Use cases
Whitelist development commands
rampart allow "npm *"
rampart allow "yarn *"
rampart allow "pnpm *"
rampart allow "go *"
rampart allow "cargo *"
Allow CI scripts
rampart allow "./scripts/deploy.sh" --global --yes
rampart allow "make deploy" --global --yes
Allow temporary file writes
rampart allow "/tmp/**"
rampart allow "~/Downloads/**"
Allow API calls
rampart allow "curl https://api.github.com/*"
rampart allow "curl https://api.example.com/*"
Troubleshooting
Pattern already exists
⚠️ Pattern already exists: allow exec "npm install *"
Use 'rampart rules' to view existing rules.
rampart rules remove <index>
Invalid pattern
invalid glob pattern: missing closing bracket ']'
# Bad
rampart allow "file[a-z"
# Good
rampart allow "file[a-z]"
Policy not reloaded
Saved to custom.yaml
(Run 'rampart serve' to activate changes immediately)
Mutual exclusion error
--global and --project are mutually exclusive
rampart allow "npm test" --global
# OR
rampart allow "npm test" --project
See also